Rails brings down the hammer

Rails 3.2.3 comes like this out of the box. And Rails 4 will use an altogether different whitelist mechanism, called Strong Parameters. It’s available as a plugin if you can’t wait: https://github.com/rails/strong_parameters

Denial of Service

How many people have you pissed off today? Last month?

DOS, and DDOS attacks are infosec’s version of a rage comic. They’re not going to steal your data or spread malware. They just want to shut you down.

DDOS is crude but effective

To mount a destributed denial of service attack, just call up 500 of your closest friends, have them head over to amnesty international’s website and keep pressing refresh for an hour. Bots can be substituted for friends.

If you have problems like these, talk to your ISP, use cloudflare, etc. They’re pretty boring and well known problems.

Algorithmic Complexity Attacks

For example, the classic SYN flood attack works by sending SYN requests to a server. The server opens a ton of connections which aren’t closed. With enough open connections, the OS will run out of ram.

A recent exploit

Ancient history? Not really. A recently patched flaw in the JSON gem would let an attacker max out your ram by creating millions of Ruby symbols. Symbols are never garbage-collected.

Good old fashioned server exploits

This is really what we think of when we think of hackers, right? People using buffer overflows to cause apache to run arbitrary code as root.

But like most boring jobs, this too has been automated. If you look at your system logs right now, I bet you’ll see bots trying to brute force an SSH login.

Automate attack detection

You can use something like fail2ban to automatically block the IP addresses of hosts that are attempting known attacks against you.